Re: [PR] COMMONSXML-1: DocumentBuilderFactory: capability-driven hardening [commons-xml]

Sun, 21 Jun 2026 07:23:59 -0700 


elharo commented on code in PR #5:
URL: https://github.com/apache/commons-xml/pull/5#discussion_r3448560776


##########
src/main/java/org/apache/commons/xml/Limits.java:
##########
@@ -231,10 +236,21 @@ final class Limits {
     }
 
     /**
-     * Sets every JDK-supported limit on a stock JDK {@link 
DocumentBuilderFactory}
-     */
-    static void applyToJdkDom(final DocumentBuilderFactory factory) {
-        JDK_LIMITS.forEach((name, supplier) -> setAttribute(factory, name, 
Integer.toString(supplier.getAsInt())));
+     * Best-effort application of the processing limits to a {@link 
DocumentBuilderFactory}, dispatched on the implementation.
+     *
+     * <p>External Xerces carries its limits on an {@code 
org.apache.xerces.util.SecurityManager} instance; every other implementation 
(the stock JDK and any

Review Comment:
   instance. Every other



##########
src/main/java/org/apache/commons/xml/XercesProvider.java:
##########
@@ -53,8 +49,7 @@
  *         {@code ACCESS_EXTERNAL_*} properties, so an explicit resolver 
installed on every parser/validator is the best way to block external
  *         entity, DTD and schema fetching, without disabling those features 
altogether. The wrappers exist for two reasons:</p>
  *         <ol>
- *             <li>{@link DocumentBuilderFactory} / {@link SAXParserFactory} 
carry no resolver, so it has to be set on each
- *             {@link DocumentBuilder} / {@link SAXParser} produced;</li>
+ *             <li>{@link SAXParserFactory} carries no resolver, so it has to 
be set on each {@link SAXParser} produced;</li>

Review Comment:
   ;</li> --> .</li>



##########
src/main/java/org/apache/commons/xml/XercesProvider.java:
##########
@@ -39,7 +35,7 @@
  * Hardening recipes for the external Apache Xerces distribution (the {@code 
xerces:xercesImpl} artifact).
  *
  * <p>Factory classes live in the {@code org.apache.xerces.*} package. 
External Xerces does not ship a {@code TransformerFactory}, {@code 
XMLInputFactory} or
- * {@code XPathFactory}, so this class only handles DOM, SAX and Schema 
factories.</p>
+ * {@code XPathFactory}, so this class only handles SAX and Schema factories; 
DOM hardening lives in {@link DocumentBuilderHardener}.</p>

Review Comment:
   factories. DOM



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to